Threat Actors Leveraging Microsoft Applications to Deliver Cobalt-Strike Beacons
DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently Cyble Research Labs published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.
Similarly, we came across a Twitter post wherein researchers mentioned a document file that performs DLL Sideloading using Microsoft applications such as “Teams.exe” and “OneDrive.exe.” The dropped DLL contains the C&C URL through which the malware can deliver a Cobalt-Strike beacon.
Cobalt Strike is a penetration testing product that allows Threat Actors (TAs) to deploy an agent named ‘Beacon’ on the victim machine. The Beacon provides various functionalities to TAs, including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement.
Several TAs are actively using this tool, from ransomware operators to espionage-focused Advanced Persistent Threats (APTs).
Upon analyzing the malicious doc file, we observed that it was targeting a company located in Italy that provides services such as Credit Servicing, Fund and Asset Management, and Real Estate services. The below figure shows the malicious document file content.
When opening the malicious document, it shows a security warning stating that macros have been disabled. The malware then requests the user to enable the content. Once enabled, the malicious document runs the macro code automatically in the background using the AutoOpen() function.
The malware then calls the function process(), which identifies the path of the OneDrive and Teams applications. The below figure shows the VBA macro code with the base64 decoded path of the OneDrive and Teams applications.
In the event that any of the application’s paths are identified by the malicious document, the malware drops a DLL file in that path with the name cache-XJDNSJWPFHD.tmp and renames it as iphlpapi.dll by calling the EnableContent() function as shown below.
The document file contains an embedded DLL file in reversed Base64 encoded format. The malware then calls the GetParagraph() function, which gets the Base64 encoded strings and performs the StrReverse and Base64Decode operations to drop the malicious DLL file in the location where the OneDrive and Team applications are present.
The below figure shows the malicious DLL file dropped in the Teams and OneDrive locations.
Upon execution of the Teams application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded, as shown below.
The below figure shows the code of sideloaded DLL malware, which creates a mutex with the name “MSTeams.Synchronization.Primitive.2.0″ to avoid running another instance on the same machine. The malware then communicates to the C&C server using the below URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications.
While monitoring the malware’s traffic, we observed the C&C communication with the same URL mentioned above.
After analysing the C&C URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications, we concluded that it executes a Cobalt-Strike on the victim’s machine.
The Cobalt-Strike Beacon can be used for malicious activities such as downloading additional payloads, lateral movement, etc.
TAs are adopting various sophisticated techniques to deploy malware. In this particular case, we observed how TAs are using Microsoft apps such as Teams and OneDrive to sideload a malicious library file that can deploy the Cobalt Strike Beacon.
Cyble Research Labs continuously monitors all new and existing malware to keep our readers aware and informed.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links, email attachments, or unknown document files without verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Deobfuscate/Decode Files or Information |
Hijack Execution Flow: DLL Side-Loading
Hide Artifacts: VBA Stomping
|Command and Control||T1071||Application Layer Protocol|
Indicators of Compromise (IOCs)
|d2xiq5m2a8wmm4.cloudfront.net||URL||Cobalt-Strike C&C URL|